From owner-freebsd-security@FreeBSD.ORG Fri Apr 9 03:24:30 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6507016A4CE for ; Fri, 9 Apr 2004 03:24:30 -0700 (PDT) Received: from smtp.netli.com (ip2-pal-focal.netli.com [66.243.52.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1819143D6A for ; Fri, 9 Apr 2004 03:24:30 -0700 (PDT) (envelope-from vlm@netli.com) Received: (qmail 26767 invoked by uid 84); 9 Apr 2004 10:24:30 -0000 Received: from vlm@netli.com by l3-1 with qmail-scanner-0.96 (uvscan: v4.1.40/v4121. . Clean. Processed in 0.181891 secs); 09 Apr 2004 10:24:30 -0000 Received: from unknown (HELO netli.com) (172.17.1.12) by mx01-pal-lan.netli.lan with SMTP; 9 Apr 2004 10:24:30 -0000 Message-ID: <40767A22.7020900@netli.com> Date: Fri, 09 Apr 2004 03:25:38 -0700 From: Lev Walkin Organization: Netli, Inc. User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040307 X-Accept-Language: ru, en-us, en MIME-Version: 1.0 To: Rumen Telbizov References: <26486.1081437513@critter.freebsd.dk> <6.0.3.0.0.20040408112048.07218a00@209.112.4.2> <3009DCC4-8986-11D8-88D0-003065ABFD92@mac.com> <20040409090705.GS293@e-card.bg> <40766EE2.9040708@netli.com> <20040409101121.GT293@e-card.bg> In-Reply-To: <20040409101121.GT293@e-card.bg> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: security@freebsd.org Subject: Re: recommended SSL-friendly crypto accelerator X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Apr 2004 10:24:30 -0000 Rumen Telbizov wrote: > >>>If both ssh and mod_ssl use the same >>>library - openssl - and its functions (3DES), >>>how come that one application benefits >> >>>from the hardware acceleration and >> >>>the other one does not?! >> >>In order to take advantage of the underlying hardware, openssl >>either uses their own code for dealing with hardware, or contains >>a wrapper which in turn employs the vendor-provided library installed >>on that host (typically, a shared library which will be attached by openssl >>during its initialization/setting up sequence). >> >>However, as >> 1) the host machine may have several hardware accelerators, and/or >> 2) it is not generally known whether requesting application really >> WANTS to accelerate things, >>the openssl needs to be explicitly initialized by the application to >>take advantage of additional hardware. Typically, it may done by either >>specifying the type of hardware at that application's configuration level, >>or an application itself may contain some defaults or "use first available >>crypto card" call to openssl. IT DEPENDS FROM APPLICATION TO APPLICATION, >>so the fact that every application on your host use openssl does not >>automatically mean that they'll use the accelerators. It well may be so that >>one application uses one crypto card, and another one uses a completely >>separate one, all being on a single machine. > > > Thanks. I didn't know that. > So it seems that mod_ssl does NOT tell the openssl to try to > use ANY of the crypto cards right? What possible may be > the reason that one application would not want to use > the hardware acceleration!? To leave resourses for other? > > I couldn't find any options for mod_ssl to enable > usage of crypto cards anyway. Option names are: for www/apache13-ssl port: SSLEngineID for www/apache13-modssl: SSLCryptoDevice By the way, Google is very helpful in finding the SSLEngineID. It shows over four documents in return %-) >>Further reading: >> >>man engine # This is an openssl hardware abstraction, mostly by Geoff Thorpe > > Thanks > > Rumen Telbizov -- Lev Walkin vlm@netli.com